Analysis
-
max time kernel
119s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
06-01-2025 02:54
Static task
static1
Behavioral task
behavioral1
Sample
8e478472737ee141955d91e3c15c370ed92914eba06b21ad84fe056026b69e99.exe
Resource
win7-20240903-en
General
-
Target
8e478472737ee141955d91e3c15c370ed92914eba06b21ad84fe056026b69e99.exe
-
Size
71.7MB
-
MD5
6da280fb9c2da7913e9c801b4de02f47
-
SHA1
119298d4791194344e819d512638165a1517525b
-
SHA256
8e478472737ee141955d91e3c15c370ed92914eba06b21ad84fe056026b69e99
-
SHA512
78f66c181d572bd0a12b748770578bb85b8c447c3fbc686d19b61bc226f185f512b6a3176fd04f147a5531fa281804b5fb393c3d30d0e6cd4a131d1c2ab5fe86
-
SSDEEP
12288:FRjEparvru3GWf+6vk7A5oI+3qYc40Y+wyNdl3sT9xvgihDqOn0JroELnF0soYqn:/Eaq3GWZvkWoQk0y
Malware Config
Extracted
lumma
https://cloudewahsj.shop/api
https://rabidcowse.shop/api
https://noisycuttej.shop/api
https://tirepublicerj.shop/api
https://framekgirus.shop/api
https://wholersorie.shop/api
https://abruptyopsn.shop/api
https://nearycrepso.shop/api
https://swingybeattyz.sbs/api
Extracted
lumma
https://swingybeattyz.sbs/api
https://abruptyopsn.shop/api
https://wholersorie.shop/api
https://framekgirus.shop/api
https://tirepublicerj.shop/api
https://noisycuttej.shop/api
https://rabidcowse.shop/api
https://cloudewahsj.shop/api
Signatures
-
Lumma family
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8e478472737ee141955d91e3c15c370ed92914eba06b21ad84fe056026b69e99.exe -
description ioc Process Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e 8e478472737ee141955d91e3c15c370ed92914eba06b21ad84fe056026b69e99.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e 8e478472737ee141955d91e3c15c370ed92914eba06b21ad84fe056026b69e99.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 8e478472737ee141955d91e3c15c370ed92914eba06b21ad84fe056026b69e99.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 2084 8e478472737ee141955d91e3c15c370ed92914eba06b21ad84fe056026b69e99.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2084 8e478472737ee141955d91e3c15c370ed92914eba06b21ad84fe056026b69e99.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\8e478472737ee141955d91e3c15c370ed92914eba06b21ad84fe056026b69e99.exe"C:\Users\Admin\AppData\Local\Temp\8e478472737ee141955d91e3c15c370ed92914eba06b21ad84fe056026b69e99.exe"1⤵
- System Location Discovery: System Language Discovery
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2084
Network
-
Remote address:8.8.8.8:53Requestswingybeattyz.sbsIN AResponseswingybeattyz.sbsIN A104.21.57.130swingybeattyz.sbsIN A172.67.163.221
-
POSThttps://swingybeattyz.sbs/api8e478472737ee141955d91e3c15c370ed92914eba06b21ad84fe056026b69e99.exeRemote address:104.21.57.130:443RequestPOST /api HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
Content-Length: 8
Host: swingybeattyz.sbs
ResponseHTTP/1.1 200 OK
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Set-Cookie: PHPSESSID=7dfmapje5feb4keljfs39et4hu; expires=Thu, 01 May 2025 20:41:01 GMT; Max-Age=9999999; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
cf-cache-status: DYNAMIC
vary: accept-encoding
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=hEsWHsM4pXmWWgQfhvax7U7Xhfq6KMH5GU0x%2BElsEWMxHmOVdE4CyQSwUoAXok%2FX8yq8gmRtp7ijG88dzlEr2LsbiPEKYW0iyXKfvj0BLFyiyHLEOmnHB1e0CYUFpQ%2BN3NWGXw%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8fd86c4b09059427-LHR
alt-svc: h3=":443"; ma=86400
server-timing: cfL4;desc="?proto=TCP&rtt=63875&min_rtt=59370&rtt_var=20744&sent=6&recv=7&lost=0&retrans=0&sent_bytes=2861&recv_bytes=585&delivery_rate=61161&cwnd=253&unsent_bytes=0&cid=a0e698d7cdb54836&ts=316&x=0"
-
Remote address:8.8.8.8:53Requestnearycrepso.shopIN AResponse
-
Remote address:8.8.8.8:53Requestabruptyopsn.shopIN AResponseabruptyopsn.shopIN A104.21.80.1abruptyopsn.shopIN A104.21.96.1abruptyopsn.shopIN A104.21.16.1abruptyopsn.shopIN A104.21.112.1abruptyopsn.shopIN A104.21.32.1abruptyopsn.shopIN A104.21.64.1abruptyopsn.shopIN A104.21.48.1
-
POSThttps://abruptyopsn.shop/api8e478472737ee141955d91e3c15c370ed92914eba06b21ad84fe056026b69e99.exeRemote address:104.21.80.1:443RequestPOST /api HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
Content-Length: 8
Host: abruptyopsn.shop
ResponseHTTP/1.1 200 OK
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Set-Cookie: PHPSESSID=gbm2apoi6msaloaajigu1rk5v6; expires=Thu, 01 May 2025 20:41:01 GMT; Max-Age=9999999; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
cf-cache-status: DYNAMIC
vary: accept-encoding
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=qKSQWtjUHF0AJ1aGmVf%2FA8FsrbwgWgrW8gvU0g7IDgxymR62gePYqnoay58P7rSEJKd7n4mmDjSSi9QbC9sl1d82qmLtD3MndAEGxhqpeVCx8Rzdf7KyrnGRbL7i24yPgDuY"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8fd86c50bf32776b-LHR
alt-svc: h3=":443"; ma=86400
server-timing: cfL4;desc="?proto=TCP&rtt=60028&min_rtt=59107&rtt_var=18441&sent=7&recv=9&lost=0&retrans=1&sent_bytes=3128&recv_bytes=584&delivery_rate=61579&cwnd=253&unsent_bytes=0&cid=4c236a8ccabfba66&ts=664&x=0"
-
Remote address:8.8.8.8:53Requestwholersorie.shopIN AResponsewholersorie.shopIN A104.21.41.51wholersorie.shopIN A172.67.160.114
-
POSThttps://wholersorie.shop/api8e478472737ee141955d91e3c15c370ed92914eba06b21ad84fe056026b69e99.exeRemote address:104.21.41.51:443RequestPOST /api HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
Content-Length: 8
Host: wholersorie.shop
ResponseHTTP/1.1 200 OK
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Set-Cookie: PHPSESSID=l5dl06bdra6lt7797gfh63b4f2; expires=Thu, 01 May 2025 20:41:02 GMT; Max-Age=9999999; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
cf-cache-status: DYNAMIC
vary: accept-encoding
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=dfsRDyccfyV9Fa5639DaF6iyp3Dy6Yw8AgQAbSNMWtFDsVmpsd%2BZOVUw5%2F7uruAurE4JAJdTtuUnvMMqCILhC8v%2FkY%2Fmzv%2BWMVOdi2c%2BCLnyWXpyx0DiQ1Vfg3lwZYDCvlcO"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8fd86c53c878d1fa-LHR
alt-svc: h3=":443"; ma=86400
server-timing: cfL4;desc="?proto=TCP&rtt=60871&min_rtt=59315&rtt_var=15225&sent=6&recv=7&lost=0&retrans=0&sent_bytes=2858&recv_bytes=584&delivery_rate=62059&cwnd=253&unsent_bytes=0&cid=48ba223a72c35cb6&ts=308&x=0"
-
Remote address:8.8.8.8:53Requestframekgirus.shopIN AResponseframekgirus.shopIN A172.67.179.160framekgirus.shopIN A104.21.18.19
-
POSThttps://framekgirus.shop/api8e478472737ee141955d91e3c15c370ed92914eba06b21ad84fe056026b69e99.exeRemote address:172.67.179.160:443RequestPOST /api HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
Content-Length: 8
Host: framekgirus.shop
ResponseHTTP/1.1 200 OK
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Set-Cookie: PHPSESSID=k9ema84ucueqebfoa576ch6rnq; expires=Thu, 01 May 2025 20:41:02 GMT; Max-Age=9999999; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
cf-cache-status: DYNAMIC
vary: accept-encoding
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=QuvSNIAuhLnBmepssQ7KIaMNa47rKsPgQuz%2FugHl1giOnOPViYUjkFbOo75%2FrX%2FR7bL7c74Xwk9vcvFHp3t1LLmgwNXVzve4zdwU9wAtGujxh%2B3dLsu3tPoAAwGX%2BQ8qRieZ"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8fd86c56ebae419b-LHR
alt-svc: h3=":443"; ma=86400
server-timing: cfL4;desc="?proto=TCP&rtt=61420&min_rtt=59453&rtt_var=15491&sent=6&recv=7&lost=0&retrans=0&sent_bytes=2857&recv_bytes=584&delivery_rate=59587&cwnd=249&unsent_bytes=0&cid=76e636a20f409127&ts=300&x=0"
-
Remote address:8.8.8.8:53Requesttirepublicerj.shopIN AResponsetirepublicerj.shopIN A104.21.80.1tirepublicerj.shopIN A104.21.64.1tirepublicerj.shopIN A104.21.96.1tirepublicerj.shopIN A104.21.16.1tirepublicerj.shopIN A104.21.32.1tirepublicerj.shopIN A104.21.48.1tirepublicerj.shopIN A104.21.112.1
-
POSThttps://tirepublicerj.shop/api8e478472737ee141955d91e3c15c370ed92914eba06b21ad84fe056026b69e99.exeRemote address:104.21.80.1:443RequestPOST /api HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
Content-Length: 8
Host: tirepublicerj.shop
ResponseHTTP/1.1 200 OK
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Set-Cookie: PHPSESSID=c15rr9kr5ii1ja10d9mfmiekgh; expires=Thu, 01 May 2025 20:41:03 GMT; Max-Age=9999999; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
cf-cache-status: DYNAMIC
vary: accept-encoding
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=gOsOTn2v04irl6%2F7BnDbGbkhKXVSkqcgp%2BCmnEd1XauH1NH%2BUqZGGQDV%2BSumSZGNDxxt2fLTPDh2IJL9MLKOnw%2FOZMvXjqQOXru0NNdMKVDL6EBMG%2Fx7CU7UB0ZHa9C0zHWkJ%2Bs%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8fd86c59e832f650-LHR
alt-svc: h3=":443"; ma=86400
server-timing: cfL4;desc="?proto=TCP&rtt=60551&min_rtt=59138&rtt_var=14905&sent=6&recv=7&lost=0&retrans=0&sent_bytes=2861&recv_bytes=586&delivery_rate=62540&cwnd=253&unsent_bytes=0&cid=124858c5510e5d26&ts=307&x=0"
-
Remote address:8.8.8.8:53Requestnoisycuttej.shopIN AResponsenoisycuttej.shopIN A104.21.71.146noisycuttej.shopIN A172.67.170.178
-
POSThttps://noisycuttej.shop/api8e478472737ee141955d91e3c15c370ed92914eba06b21ad84fe056026b69e99.exeRemote address:104.21.71.146:443RequestPOST /api HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
Content-Length: 8
Host: noisycuttej.shop
ResponseHTTP/1.1 200 OK
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Set-Cookie: PHPSESSID=3k25q1tmercavlp2h65dmb29nf; expires=Thu, 01 May 2025 20:41:03 GMT; Max-Age=9999999; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
cf-cache-status: DYNAMIC
vary: accept-encoding
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=OJ9JKKvN2vqMFNXl8ikgGOEGL%2BrzH7tXholEcF09i0P6j1r5%2BY5KQTmEuZVimKJpI1B4W0wa92xyscMUnp%2BRi2UVG5%2BlhAlfCGNzpijzppsatuVbgws%2F%2Bi0%2BHwyij3QAhbIO"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8fd86c5d0d27bd7f-LHR
alt-svc: h3=":443"; ma=86400
server-timing: cfL4;desc="?proto=TCP&rtt=61836&min_rtt=59913&rtt_var=15600&sent=6&recv=7&lost=0&retrans=0&sent_bytes=2859&recv_bytes=584&delivery_rate=60559&cwnd=253&unsent_bytes=0&cid=022d827465361ee4&ts=308&x=0"
-
Remote address:8.8.8.8:53Requestrabidcowse.shopIN AResponserabidcowse.shopIN A104.21.7.224rabidcowse.shopIN A172.67.156.127
-
POSThttps://rabidcowse.shop/api8e478472737ee141955d91e3c15c370ed92914eba06b21ad84fe056026b69e99.exeRemote address:104.21.7.224:443RequestPOST /api HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
Content-Length: 8
Host: rabidcowse.shop
ResponseHTTP/1.1 200 OK
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Set-Cookie: PHPSESSID=6avkk7timia1369pin3an2one0; expires=Thu, 01 May 2025 20:41:04 GMT; Max-Age=9999999; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
cf-cache-status: DYNAMIC
vary: accept-encoding
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=4CH84zBEyhYgk89Wdjhs53SqwGiyESDiGVac83Mq%2BzWk5VmMAUxInKExrty3G7KaK7Jjo5T3uiX2MWH8%2F95oSouDP0opsHTBitN9OoN%2FyaNdzMlvxY4fbSteSeC0QZDRDKQ%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8fd86c601f546556-LHR
alt-svc: h3=":443"; ma=86400
server-timing: cfL4;desc="?proto=TCP&rtt=60897&min_rtt=59597&rtt_var=14737&sent=6&recv=7&lost=0&retrans=0&sent_bytes=2853&recv_bytes=583&delivery_rate=61405&cwnd=246&unsent_bytes=0&cid=237a21c661663950&ts=294&x=0"
-
Remote address:8.8.8.8:53Requestcloudewahsj.shopIN AResponsecloudewahsj.shopIN A104.21.96.1cloudewahsj.shopIN A104.21.80.1cloudewahsj.shopIN A104.21.64.1cloudewahsj.shopIN A104.21.48.1cloudewahsj.shopIN A104.21.16.1cloudewahsj.shopIN A104.21.112.1cloudewahsj.shopIN A104.21.32.1
-
POSThttps://cloudewahsj.shop/api8e478472737ee141955d91e3c15c370ed92914eba06b21ad84fe056026b69e99.exeRemote address:104.21.96.1:443RequestPOST /api HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
Content-Length: 8
Host: cloudewahsj.shop
ResponseHTTP/1.1 200 OK
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Set-Cookie: PHPSESSID=ugv597ae3umfo7h6mic2m9ejl0; expires=Thu, 01 May 2025 20:41:04 GMT; Max-Age=9999999; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
cf-cache-status: DYNAMIC
vary: accept-encoding
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=o9LZMaTm8artw1Vf5stuP83Tr5ShkaaRtrYwVkrtqPzgrFOa65qeV2uxyuZH%2BGg%2BXO%2BW%2FZYt6kWpnqOFOlkY0vaLtwe06d9pBLfpY%2FRq6u8FdRsry3w1PN%2BmyGG%2BxL6LmqYO"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8fd86c632a8f6532-LHR
alt-svc: h3=":443"; ma=86400
server-timing: cfL4;desc="?proto=TCP&rtt=63057&min_rtt=59480&rtt_var=16198&sent=6&recv=7&lost=0&retrans=0&sent_bytes=2852&recv_bytes=584&delivery_rate=59509&cwnd=253&unsent_bytes=0&cid=8911cb2a6185b69b&ts=315&x=0"
-
Remote address:8.8.8.8:53Requeststeamcommunity.comIN AResponsesteamcommunity.comIN A23.214.143.155
-
GEThttps://steamcommunity.com/profiles/765611997243319008e478472737ee141955d91e3c15c370ed92914eba06b21ad84fe056026b69e99.exeRemote address:23.214.143.155:443RequestGET /profiles/76561199724331900 HTTP/1.1
Connection: Keep-Alive
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
Host: steamcommunity.com
ResponseHTTP/1.1 200 OK
Content-Type: text/html; charset=UTF-8
Content-Security-Policy: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.cloudflare.steamstatic.com/ https://cdn.cloudflare.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.cloudflare.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://*.valvesoftware.com https://*.steambeta.net https://*.discovery.beta.steamserver.net https://*.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://checkout.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/;
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Cache-Control: no-cache
Date: Mon, 06 Jan 2025 02:54:26 GMT
Content-Length: 35588
Connection: keep-alive
Set-Cookie: sessionid=c7bd66fa29d6ecf2a57cd453; Path=/; Secure; SameSite=None
Set-Cookie: steamCountry=GB%7C7d625a3b038bb98f68b4e14dac147806; Path=/; Secure; HttpOnly; SameSite=None
-
Remote address:8.8.8.8:53Requestlev-tolstoi.comIN AResponse
-
104.21.57.130:443https://swingybeattyz.sbs/apitls, http8e478472737ee141955d91e3c15c370ed92914eba06b21ad84fe056026b69e99.exe981 B 4.5kB 9 9
HTTP Request
POST https://swingybeattyz.sbs/apiHTTP Response
200 -
104.21.80.1:443https://abruptyopsn.shop/apitls, http8e478472737ee141955d91e3c15c370ed92914eba06b21ad84fe056026b69e99.exe1.1kB 4.8kB 11 10
HTTP Request
POST https://abruptyopsn.shop/apiHTTP Response
200 -
104.21.41.51:443https://wholersorie.shop/apitls, http8e478472737ee141955d91e3c15c370ed92914eba06b21ad84fe056026b69e99.exe980 B 4.5kB 9 9
HTTP Request
POST https://wholersorie.shop/apiHTTP Response
200 -
172.67.179.160:443https://framekgirus.shop/apitls, http8e478472737ee141955d91e3c15c370ed92914eba06b21ad84fe056026b69e99.exe980 B 4.4kB 9 9
HTTP Request
POST https://framekgirus.shop/apiHTTP Response
200 -
104.21.80.1:443https://tirepublicerj.shop/apitls, http8e478472737ee141955d91e3c15c370ed92914eba06b21ad84fe056026b69e99.exe982 B 4.5kB 9 9
HTTP Request
POST https://tirepublicerj.shop/apiHTTP Response
200 -
104.21.71.146:443https://noisycuttej.shop/apitls, http8e478472737ee141955d91e3c15c370ed92914eba06b21ad84fe056026b69e99.exe980 B 4.5kB 9 9
HTTP Request
POST https://noisycuttej.shop/apiHTTP Response
200 -
104.21.7.224:443https://rabidcowse.shop/apitls, http8e478472737ee141955d91e3c15c370ed92914eba06b21ad84fe056026b69e99.exe979 B 4.4kB 9 9
HTTP Request
POST https://rabidcowse.shop/apiHTTP Response
200 -
104.21.96.1:443https://cloudewahsj.shop/apitls, http8e478472737ee141955d91e3c15c370ed92914eba06b21ad84fe056026b69e99.exe980 B 4.5kB 9 9
HTTP Request
POST https://cloudewahsj.shop/apiHTTP Response
200 -
23.214.143.155:443https://steamcommunity.com/profiles/76561199724331900tls, http8e478472737ee141955d91e3c15c370ed92914eba06b21ad84fe056026b69e99.exe1.6kB 43.0kB 23 37
HTTP Request
GET https://steamcommunity.com/profiles/76561199724331900HTTP Response
200
-
8.8.8.8:53swingybeattyz.sbsdns8e478472737ee141955d91e3c15c370ed92914eba06b21ad84fe056026b69e99.exe63 B 95 B 1 1
DNS Request
swingybeattyz.sbs
DNS Response
104.21.57.130172.67.163.221
-
8.8.8.8:53nearycrepso.shopdns8e478472737ee141955d91e3c15c370ed92914eba06b21ad84fe056026b69e99.exe62 B 119 B 1 1
DNS Request
nearycrepso.shop
-
8.8.8.8:53abruptyopsn.shopdns8e478472737ee141955d91e3c15c370ed92914eba06b21ad84fe056026b69e99.exe62 B 174 B 1 1
DNS Request
abruptyopsn.shop
DNS Response
104.21.80.1104.21.96.1104.21.16.1104.21.112.1104.21.32.1104.21.64.1104.21.48.1
-
8.8.8.8:53wholersorie.shopdns8e478472737ee141955d91e3c15c370ed92914eba06b21ad84fe056026b69e99.exe62 B 94 B 1 1
DNS Request
wholersorie.shop
DNS Response
104.21.41.51172.67.160.114
-
8.8.8.8:53framekgirus.shopdns8e478472737ee141955d91e3c15c370ed92914eba06b21ad84fe056026b69e99.exe62 B 94 B 1 1
DNS Request
framekgirus.shop
DNS Response
172.67.179.160104.21.18.19
-
8.8.8.8:53tirepublicerj.shopdns8e478472737ee141955d91e3c15c370ed92914eba06b21ad84fe056026b69e99.exe64 B 176 B 1 1
DNS Request
tirepublicerj.shop
DNS Response
104.21.80.1104.21.64.1104.21.96.1104.21.16.1104.21.32.1104.21.48.1104.21.112.1
-
8.8.8.8:53noisycuttej.shopdns8e478472737ee141955d91e3c15c370ed92914eba06b21ad84fe056026b69e99.exe62 B 94 B 1 1
DNS Request
noisycuttej.shop
DNS Response
104.21.71.146172.67.170.178
-
61 B 93 B 1 1
DNS Request
rabidcowse.shop
DNS Response
104.21.7.224172.67.156.127
-
8.8.8.8:53cloudewahsj.shopdns8e478472737ee141955d91e3c15c370ed92914eba06b21ad84fe056026b69e99.exe62 B 174 B 1 1
DNS Request
cloudewahsj.shop
DNS Response
104.21.96.1104.21.80.1104.21.64.1104.21.48.1104.21.16.1104.21.112.1104.21.32.1
-
8.8.8.8:53steamcommunity.comdns8e478472737ee141955d91e3c15c370ed92914eba06b21ad84fe056026b69e99.exe64 B 80 B 1 1
DNS Request
steamcommunity.com
DNS Response
23.214.143.155
-
61 B 134 B 1 1
DNS Request
lev-tolstoi.com
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b